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DETAILED ACTION 

1 . This action is in response to application amendments filed on 11-11 -2009. 

2. Claims 1,3-5, 8, 13, 15 ~ 19, 22 - 25, 27, 28, 34, 35, 41, 43 are pending. 
Claims 1, 3, 5, 8, 13, 15, 18, 18, 22 - 25, 27, 28, 34 have been amended. Claims 2, 6, 
7, 9 - 12, 14, 19-21, 26, 29 - 33, 36 - 40, 42 have been cancelled. Claims 1, 3, 5, 8, 
13, 15, 16, 18, 22, 23, 24, 25, 27, 28, 34, 35 are independent. This application was 
filed on 3-20-2004. 

Response to Arguments 

3. Applicant's arguments have been fully considered but they were not persuasive. 

3.1 Applicant argues that the referenced prior art does not disclose, "changing the 
measurement parameters when the communication is judged to have been executed by 
the worm at the judging" ; "wherein the acquiring includes acquiring, based on the 
measurement parameters changed at the changing, the information on the 
communication judged to have been executed by the worm at the judging" ; the 
acquiring unit acquires, based on the measurement parameters changed by the setting 
changing unit, the information on the communication judged to have been executed by 
the worm by the judging unit" 

There is no specific disclosure for specific measurement parameters in the 
specification or original claims. The Spiegel prior art discloses that parameters are 
adjustable or changeable and can be changed or weighted based on other parameters. 
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(see Spiegel col. 5, lines 15-21: dynamic (i.e. adjustable, changeable) parameters for 
worm determination; relative (percentage) parameters used; col. 5, lines 47-53: heuristic 
can be fine tuned) 

Wiiiebeek-LeMair prior art discloses self-hardening of the detection system which 
optimizes the capabilities of the monitoring system. (Wiiiebeek-LeMair paragraph 
[0054], lines 1-14: tuning operation performed in an automated manner; paragraph 
[0055], lines 1-17: effectuates a self-hardening system; paragraph [0056], lines 1-16: 
threat detection and threat suppression (firewall) capabilities of the system are 
continually being optimized (by the interlocking and agent functionalities in response to 
continuous threat assessment analysis)) 

3.2 Applicant argues that the referenced prior art does not disclose, "changing the 
judgment criteria when the communication is judged to have been executed by the 
worm at the judging: ; "wherein the judging includes further judging whether the 
communication judged to have been executed by the worm at the judging has been 
executed by the worm based on the information acquired and the judgment criteria 
changed at the changing". 

Spiegel prior art disclose the changing of the judgment criteria used to judge 
whether a worm has intruded within communications, (see Spiegel col. 5, lines 8-10; 
col. 5, lines 15-21 : worm determination based on information and adjusted (i.e. 
changed) information; col. 6, lines 15-22: software, implementation means) 

3.3 Spiegel prior art discloses monitoring network traffic such as network packets and 
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analyzing the monitored traffic to determine whether the communications is from a 
network node infected by a worm. The analysis is completed over a period of time, 
(see Spiegel col. 1 , lines 50-60; col. 3, lines 27-30: monitor network traffic based on 
source and destination addresses, and information not matching criteria for normal 
traffic; col. 3, lines 20-24: connection attempts to remote destinations over a period of 
time) 

Siegel prior art discloses a determination that communication is executed by a 
system infected by a worm. Spiegel prior art and its combination with Wiliebeek-LeMair 
and Bunker disclose the criteria of a large number of packets and additional criteria 
used to make the determination of communication from a system infected by a worm, 
(see Spiegel col. 1 , lines 50-60; col, 3, Sines 27-30: monitor network traffic based on 
source and destination addresses and information not matching criteria for normal traffic 
setting; col. 1 , lines 60-67; col. 3, line 63 - col. 4, line 9: determine communications due 
to worm, based on threshold or predetermined criteria) 

Spiegel prior art discloses that previously recorded information or historical 
information can be analyzed and compared to current communication information in 
order to make a determination of whether communication is coming from an infected 
worm, (see Spiegel col. 3, lines 58-67: worm determination; col. 5, lines 8-15: history or 
recorded information utilized in worm determination) in addition, threshold limitations in 
data processing disclose a comparison of a current parameter value against a threshold 
value to determine a course of action. 

Spiegel prior art discloses the usage of threshold criteria to make a determination 
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of communication from a system infected by a worm. A threshold is maximum limit 
parameter, A current count of communication packets for connection attempts must be 
counted or summed and the current count of these types of packets are compared 
against a limit or threshold parameter. 

Wiliebeek-LeMair prior art discloses the specific extraction of reference information 
such as a port number from a communications packet. Wiliebeek-LeMair prior art 
discloses the usage of port number information in the analysis of communication traffic, 
(see Wiliebeek-LeMair paragraph [0031], lines 5-14: extract reference information (IP 
address, port number)) 

Claim Rejections - 35 (JSC § 112 

4. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such fu!!, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

5. Claims 1, 3, 5, 8, 13, 15, 16, 22 - 25, 27, 28 are rejected under 35 U.S.C. 112, 
first paragraph, as failing to comply with the written description requirement. The 
ciaim(s) contains subject matter which was not described in the specification in such a 
way as to reasonably convey to one skilled in the relevant art that the inventor(s), at the 
time the application was filed, had possession of the claimed invention. 

In Claims 1, 13, 15 there is no disclosure for the amended claim limitation: 
"changing the measurement parameters when the communication is judged to have 
been executed by the worm at the judging; wherein the acquiring includes acquiring, 
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based on the measurement parameters changed at the changing, the information on the 
communication judged to have been executed by the worm at the judging". 
Claims 3, 5, 8, 16, 22 - 25, 27, 28 disclose amendments to include measurement 
parameters. There is no disclosure for specific parameters utilized in the measurement 
of activity in the determination of whether a worm has intruded upon communication for 
a network connected system. The specification discloses the calculation of 
measurements over time to track the flow of network traffic from selected network nodes 
in the determination of the intrusion of a worm on network communications. 

For Claims 5, 18 there is no disclosure for the amended limitation: "all three 
conditions are satisfied". There is no disclosure for this claim limitation in the 
specification or the original claims. 

Appropriate correction is required. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

5. Claims 1, 3 - 5, 8, 13, 15 - 18, 22 - 24, 34, 41, 43 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Spiegel et al. (US Patent No. 7,159,149) in 
view of Willebeek-LeMair et al. (US PGPUB No. 20030204632). 
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With Regards to Claims 1, 13, 15, Spiegel discloses a computer readable recording 
medium for storing a computer program, device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network and 
judging whether the communication is executed by a worm, the computer program 
causing a computer to perform: 

a) acquiring information related to a traffic and a communication address of a 
communication packet based on setting information including unit time for 
measurement, (see Spiegel col. 1 , lines 50-60; col. 3, lines 27-30: monitor 
network traffic based on source and destination addresses, and information not 
matching criteria for normal traffic setting; col. 3, lines 20-24: connection attempts 
to remote destinations over a period of time; col. 2, lines 51-53; col. 2, lines 62- 
65; col. 6, lines 15-22: software, implementation means) 

Furthermore, Spiegel discloses: 

b) judging whether the communication has been being executed by the worm 
based on the information acquired and a predetermined judgment criteria; (see 
Spiegel col. 1, lines 60-67; col. 3, line 63 - col. 4, line 9: determine 
communications due to worm, based on threshold or predetermined criteria) 

e) changing the measureme nt parameters when the communication is judged to 
have been executed by the worm at the judging ; wherein the acquiring includes 
acquiring , based on the measure ment parameters changed at the changing, the 
information on the communication judged to have been executed by the worm at 
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the judging , (see Spiegel col. 5, lines 15-21: dynamic (i.e. adjustable, 
changeable) parameters used for worm determination; col. 5, lines 47-53: 
heuristic can be fine tuned; col. 6, lines 15-26: software, implementation means; 

col. 5, lines 38-42: threshold (parameters) can be easily reconfigured; 
parameters can be set based on system requirements) 

Spiegel does not specifically disclose extracting specific information and blocking 

communication packet. 

However, Willebeek-LeMair discloses: 

c) extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the 
communication judged to have been executed by the worm at the judging; (see 
Willebeek-LeMair paragraph [0031], lines 5-14: extract reference information (IP 
address, port number)) 

d) blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
based on the reference information extracted at the extracting, (see Willebeek- 
LeMair paragraph [0017], lines 12-15; paragraph [0031], lines 5-14; paragraph 
[0035], lines 7-14: block communications packets between network segments 
(inside network segment and outside network segment)) 

It would have been obvious to one of ordinary skill in the art to modify Spiegel 
for extracting specific information and blocking communication packet as taught by 
Willebeek-LeMair. One of ordinary skill in the art would have been motivated to 
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employ the teachings of Willebeek-LeMair for threat detection and threat response 
operational in an optimized manner that mitigates false detection, (see Willebeek- 
LeMair paragraph [0013], lines 5-11) 

With Regards to Claims 3, 16, Spiegel discloses a computer-readable recording 
medium for storing a computer program, device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network and 
judging whether the communication is executed by a worm, the computer program 
causing a computer to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information including unit time for 
measurement parameters : as stated in Claim 1 above. 
Furthermore, Spiegel discloses for following: 

judging whether the communication has been executed by the worm based on the 
information acquired and a predetermined judgment criteria; as stated in Claim 1 
above; 

changing the judgment criteria when the communication is judged to have been 
executed by the worm at the judging , wherein the judging includes further judging 
whether the communication iudqedjojiaye been executed by the worm at the 
judging has been executed by the worm based on the information acquired and 
the judgment criteria changed at the changing, (see Spiegel col. 5, lines 8-10; 
col. 5, lines 15-21 : worm determination based on information and adjusted (i.e. 
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changed) information; col. 6, lines 15-22: software, implementation means) 

Spiegel does not specifically disclose extracting information and blocking 
communication. 

However, Willebeek-LeMair discloses the following: 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the 
communication judged to have been executed by the worm at the judging; as 
stated in Claim 1 above; 

blocking the communication packet that is transmitted between the predetermined 
network segment and the outside of the predetermined network based on the 
reference information extracted at the extracting as stated in Claim 1 above. 

Motivation to modify Spiegel as taught by Willebeek-LeMair is stated in Claim 1 

above. 

With Regards to Claims 4, 17, Spiegel discloses the computer readable recording 
medium, device according to claims 1,15, the judging includes judging that a 
communication from a computer that is in the predetermined network segment is 
executed by the worm when there is an increase in number of communication packets 
as well as number of destination addresses of communication packets that are 
transmitted from the predetermined network segment to the outside, (see Spiegel col. 3, 
lines 20-27: network communication packets throughput increased, worm determination; 
col. 4, lines 17-22: number of destination addresses is high; col. 6, lines 15-22: 
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With Regards to Claims 5, 18, Spiegel discloses a computer-readable recording 
medium for storing a computer program, device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network and 
judging whether the communication is executed by a worm, the computer program 
causing a computer to perform: 

acquiring information related to a traffic and a communication address of a 

communication packet based on measurement parameters : as stated in Claim 1 

above. 

Furthermore, Spiegel discloses the following: 

first judging whether a computer in the predetermined network segment is infected 
by the worm based on the information acquired and a predetermined judgment 
criteria; as stated in Claim 1 above; 

second judging whether a plurality of computers in the predetermined network 
segment are infected by the worm; (see Spiegel col. 1, lines 50-60; col. 3, lines 
27-30: monitor network traffic based on source and destination addresses, and 
information not matching criteria for normal traffic setting; col. 5, lines 8-10: 
history of worm detection; col. 5, lines 47-50: particular source/destination 
addresses (i.e. for a computer) monitored) 

the second judging includes judging that plurality of computers in the predetermined 
network segment are infected by the worm all three conditions are satisfied, the 
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three conditions being that ; (see Spiegel col. 5, lines 8-10: history of worm 
detection; col. 5, lines 47-50: particular source/destination addresses (i.e. for a 
computer) monitored) 

f) a communication from the computer in the predetermined network segment is 
judged to be infected by the worm at the first judging; (see Spiegel col. 5, lines 8- 
10: history of worm detection; col. 5, lines 47-50: particular source/destination 
addresses (i.e. for a computer) monitored; col. 6, lines 15-22: software, 
implementation means) 

g) a number of communication packets that are transmitted from the predetermined 
network segment to the outside becomes greater than a number of 
communication packets transmitted from the predetermined network segment to 
the outside wh en the computer is judged to be infected by the worm a t the first 
judging, and a number of destination addresses of the communication packets 
transmitted from the predetermined network segment to the outside when the 
computer is judged to be infected by the worm at the first judging, (see Spiegel 
col. 3, lines 20-27: worm determination based on number of packets transferred 
to addresses (i.e. inside or outside local network); connection attempts 
(destination addresses)) 

Spiegel does not specifically disclose extracting information and blocking 
communication. 

However, Willebeek-LeMair discloses the following: 
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extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the 
communication upon it being judged at the first judging that the computer is 
infected by the worm; as stated in Claim 1 above; 

blocking the communication packet that is transmitted between the predetermined 
network segment and the outside of the predetermined network based on the 
reference information extracted at the extracting; as stated in Claim 1 above. 

Motivation to modify Spiegel as taught by Willebeek-LeMair is stated in Claim 1 

above. 

With Regards to Claim 8, Spiegel discloses a computer-readable recording medium 
for storing a computer program for detecting a worm by monitoring a communication of 
a predetermined network segment that is connected to a network and judging whether 
the communication is executed by a worm, the computer program causing a computer 
to perform: 

acquiring information related to a traffic and a communication address of a 

communication packet based on measurement parameters ; as stated in Claim 1 
above. 

Furthermore, Spiegel discloses the following: 

judging whether the communication is executed by the worm based on the 

information acquired and a predetermined judgment criteria; as stated in Claim 1 
above; 
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the judging includes identifying a type of the worm by comparing features of a first 
communication with features of a second communication executed by a worm 
that are recorded in advance, when the first communication is judged to be 
executed by a worm , (see Spiegel col. 3, lines 58-67: worm determination; col. 5, 
lines 8-15: history or recorded information utilized in worm determination; col. 6, 
lines 15-22: software, implementation means) 

Spiegel does not specifically disclose extracting information and blocking 
communication. 

However, Willebeek-LeMair discloses the following: 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the 
communication upon it being judged at the judging that the communication is 
executed by the worm; as stated in Claim 1 above; 

blocking the communication packet that is transmitted between the predetermined 
network segment and the outside of the predetermined network based on the 
reference information extracted at the extracting; as stated in Claim 1 above. 

Motivation to modify Spiegel as taught by Willebeek-LeMair is stated in Claim 1 

above. 



With Regards to Claims 22, 23, 24, 34, Spiegel discloses a computer-readable 
recording medium for storing a computer program, device for detecting a worm by 
monitoring a communication of a predetermined network segment that is connected to a 
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network and judging whether the communication is executed by a worm, the computer 
program causing a computer to perform: 

acquiring information related to a traffic and a communication address of a 

communication packet based on measurement parameters: as stated in Claim 1 

above. 

Furthermore, Spiegel discloses: 

judging whether the communication has been executed by the worm based on the 
information acquired and a predetermined judgment criteria; as stated in Claim 1 
above. 

Spiegel does not specifically disclose extracting port information and blocking 
communication. 

However, Willebeek-LeMair discloses the following: 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the 
communication judged to have been executed by the worm at the judging : as 
stated in Claim 1 above; 
blocking the communication packet that is transmitted between the predetermined 
network segment and the outside of the predetermined network based on the 
reference information extracted at the extracting; as stated in Claim 1 above; 
the extracting includes extracting as the reference information, a most frequently 
appearing port number of the communication packets transmitted in the 
communication judged to have been executed by the worm, (see Willebeek-LeMair 
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paragraph [0031], lines 5-14: extract reference information (IP address, port 
number)) 

Motivation to modify Spiegel as taught by Willebeek-LeMair is stated in Claim 1 
above. 

With Regards to Claim 41, Spiegel discloses the computer-readable recording medium 
according to claim 3, the judging includes judging that a communication from a 
computer that is in the predetermined network segment is executed by the worm based 
on communication packets as well as number of destination addresses of 
communication packets that are transmitted from the predetermined network segment 
to the outside, (see Spiegel col. 1 , lines 50-62: connections attempts (communication 
packets) directed to a destination address used in determination of a worm) 

Spiegel does not specifically disclose an increase in number of communication packets 
that are transmitted. 

However, Willebeek-LeMair discloses an increase in number of communication packets 
that are transmitted. (Willebeek-LeMair paragraph [0007], lines 8-12: large numbers of 
packets and connection requests (destination address)) 

Motivation to modify Spiegel as taught by Willebeek-LeMair is stated in Claim 1 above. 

With Regards to Claim 43, Spiegel discloses the computer-readable recording medium 
according to claim 8, the judging includes judging that a communication from a 
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computer that is in the predetermined network segment is executed by the worm based 
on communication packets as well as number of destination addresses of 
communication packets that are transmitted from the predetermined network segment 
to the outside, (see Spiegel col. 1 , lines 50-62: connections attempts (communication 
packets) directed to a destination address used in determination of a worm) 

Spiegel does not specifically disclose an increase in number of communication packets 
as well as number of destination addresses of communication packets that are 
transmitted. 

However, Willebeek-LeMair discloses an increase in number of communication packets 
as well as number of destination addresses of communication packets that are 
transmitted. (Willebeek-LeMair paragraph [0007], lines 8-12: large numbers of packets 
and connection requests (destination address)) 

Motivation to modify Spiegel as taught by Willebeek-LeMair is stated in Claim 1 above. 

6. Claims 25, 27, 28, 35 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Spiegel-"Willebeek-LeMair" and further in view of Bunker et al. (US PGPUB No. 
20030056116). 

With Regards to Claims 25, 27, 28, 35, Spiegel discloses the computer program, 
computer-readable medium, method, and device according to claims 1, 12, 13, 14, 33. 
(see Spiegel col. 1, lines 48-62: monitoring for worm determination; col. 4, lines 45-48: 
traffic analysis, calculation utilizing network addressing (IP address, port number)) a 
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computer-readable recording medium for storing a computer program for detecting a 
worm by monitoring a communication of a predetermined network segment that is 
connected to a network and judging whether the communication is executed by a worm, 
the computer program causing a computer to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information including unit time for 
measurement parameters ; as stated in Claim 1 above. 
Furthermore, Spiegel discloses: 

judging whether the communication is executed by the worm based on the 

information acquired and a predetermined judgment criteria; as stated in Claim 1 
above. 

Spiegel does not specifically disclose extracting information such as a port number 

and blocking communication. 

However, Willebeek-LeMair discloses the following: 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the 
communication upon it being judged at the judging that the communication is 
executed by the worm; as stated in Claim 1 above; 

blocking the communication packet that is transmitted between the predetermined 
network segment and the outside of the predetermined network based on the 
reference information extracted at the extracting; as stated in Claim 1 above. 
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Spiegel does not specifically disclose calculations utilizing reference information 
such as port numbers in the analysis of work determination. 
However, Bunker discloses extracting further includes summing up, for each type of 
the communication, a number of the communication packets transmitted in the 
communication upon it being judged that the communication is executed by the 
worm at the judging, and extracting, as the reference information, a type of the 
communication, the number of the communication packets is over a threshold value, 
(see Bunker paragraph [0189], lines 1-11; paragraph [0215], lines 1-5; paragraph 
[0220], lines 8-12: calculation (summation) of access information in worm 
determination) 

It would have been obvious to one of ordinary skill in the art to modify Spiegel 
to calculate a summation of reference information utilized for worm determination as 
taught by Bunker. One of ordinary skill in the art would have been motivated to 
employ the teachings of Bunker to emulate hacker methodology in a safe way and 
enable study of network security openings without affecting customer operations, 
(see Bunker paragraph [0012], lines 1-8) 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carlton V. Johnson whose telephone number is 571- 
270-1032. The examiner can normally be reached on Monday thru Friday , 8:00 - 
5:00PM EST. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on 571-272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
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